Skip to content

Getting Started

Taco is an open-source management portal that sits in front of your OAuth2 authorization server. It gives teams a self-service UI to create and configure OAuth2/OIDC and SAML clients, while giving platform owners a policy-gated approval workflow before anything reaches production.

Client Management

Create, update, clone, and delete OAuth2/OIDC and SAML clients. Manage resource servers (APIs) and their scopes.

Multi-Provider

Connects to Ory Hydra, Auth0, Azure Entra ID, or any RFC 7592-compliant authorization server. Switchable via OPENID_PROVIDER.

Multi-Tenant

Organizations and teams with role-based access: member, reviewer, org admin/owner, and instance admin.

Client Registration Workflow

Policy-gated approval with a human review queue, change sets for active clients, and pre-approved templates. Available on the Business plan.

Analytics

Aggregated client and user stats: counts by grant type, application type, and classification, plus active-user trends.

White-label Branding

Customize logo, colors, and domain. Available on the Business plan.

FeatureLiteTeamBusiness
Client management
Organizations
Onboarding wizard
Analytics
Teams
White-label branding
Client registration workflow
FeatureOry HydraAuth0Azure Entra IDRFC 7592
OAuth2/OIDC clients
SAML clients
Resource servers⚠️ Derived✅ Native⚠️ Derived
Client cloning⚠️ Provider-dependent
  1. Choose a provider

Taco supports four provisioning backends. Pick the one you already run:

  • Ory Hydra (self-hosted OAuth2/OIDC server)
  • Auth0
  • Azure Entra ID (app registrations)
  • Any RFC 7592-compliant authorization server (Keycloak, Spring Authorization Server, etc.)

See the Providers section for setup instructions for each.

  1. Choose a plan tier

Set PLAN_TIER to lite, team, or business. See the plan comparison for feature differences.

  1. Configure environment variables

    At minimum, set:

    Terminal window
    BASE_URL=https://taco.example.com
    PLAN_TIER=lite
    BETTER_AUTH_SECRET=$(npm run auth:secret --silent)
    DATABASE_URL=pgsql://user:pass@host:5432/taco
    EMAIL_FROM="Taco <noreply@example.com>"
    EMAIL_SERVER=smtps://user:pass@smtp.example.com
    OPENID_PROVIDER=ory
    # ... provider-specific vars

    Full reference: Configuration.

  2. Run Taco

Terminal window
docker run -d \
--env-file .env \
-p 3000:3000 \
ghcr.io/cerberauth/taco:lite-latest
  1. Access the dashboard

    Open BASE_URL in your browser. If SSO is not configured, you will be prompted to sign in with email/password. Create the first admin account on first run.